In October 2016 Labour requested clarification on the future of UK cybersecurity policy vis-a-vis Brexit by asking “When does the UK government intend to enshrine the provisions of the Network and Information Security directive into UK law, and can it confirm that this will take place before Britain leaves the European Union so that there is no difference in the regulation governing UK-based digital service providers when offering services within the UK or in the rest of Europe?”
- Relevant policy:
Directive on Security of Network and Information Systems
(See also: explanatory post)
- Commission Decision to establish a contractual public private partnership on cybersecurity (cPPP) (DSM)
Progress and developments:
- In October 2016 the UK opened its National Cyber Security Centre, a child organisation of GCHQ. It would naturally fulfil the role of the national cybersecurity authority as required by the Directive.
- In December 2016 a government report stated:
Government is separately considering whether additional regulation might be necessary for critical sectors, including in the context of the NIS Directive due to be implemented in 2018 as well as wider national infrastructure considerations….the detailed scope and security requirements for NIS implementation will be set out by Government in 2017, informed by the work of the NCSC and lead Government departments with relevant sectors alongside broader Government consideration of critical infrastructure.”
(Source: Cyber Security Regulation and Incentives Review (pdf), page 12, paragraph 4.10.
- In August 2017 a consultation opened on the UK implementation of the Directive. It closes on 30 September.
- In December 2017 the European Scrutiny Committee of the House of Commons fairly blasted Government, and the Minister for Digital, for their lack of insight into post-Brexit cybersecurity arrangements, particularly the European Union Agency for Network and Information Security, given the inherent need for any cybersecurity arrangement to be cross-border and cooperative. They noted, amongst other questions:
- The FCO expresses concern about prospective EU interference with national operational activities in the field of cybersecurity, whereas DCMS cautions that the Commission’s use of the term “operational” to describe ENISA’s proposed coordinating role in cross-border cybersecurity emergencies does not actually amount to an operational role in the UK usage of the term. What is the Government’s considered view on this aspect of the proposal?
- Regarding the Brexit implications of the proposal, we ask the Government to provide:
- a clear account of the means by which third countries currently participate in / cooperate with ENISA, including through the NIS Directive and its supporting institutional arrangements;
- a fuller account of the anticipated impacts of a shift to third country status for the UK and UK-based operators with regards to the main provisions of the ENISA Regulation and the NIS Directive (e.g., what would the impact be on digital service providers?);
- an explanation of the Government’s concerns about the potential impact on trade and investment of the proposal for an EU certification framework, and how this might affect the UK when it assumes third country status;
- A contrite Margot James provided the Committee with the clarification it sought in February 2018, but the Committee retained the proposal under scrutiny.